John Evans: "Securing WebApps: An Illustrative Session"

Please RSVP if you are coming to the meeting so we don't run out of pizza (again!)

That's right baby, it's 2010, and we are very pleased to welcome regular Denver chapter attendee John Evans of MXLogic McAfee who will deliver a presentation on common AppSec pitfalls and solutions. He will demonstrate various common appsec problems using code samples in PHP, but developers of any flavor should be able to grasp the concepts.

An outline of his presentation is as follows:

Basic HTTP Transaction
Single diagram to get everyone on the same page.

XSS

What it is and what can be done with it.
Reflected
Persistent
DOM-Based
PHP code examples of bad code.
Exploit examples.
PHP code examples of good code.
PHP code examples (and pseudo-code) of better code.

Code Injection

What is is and what can be done with it.
PHP code examples of bad code.
Exploit examples.
PHP code examples of good code.

SQL Injection

What it is what what can be done with it.
PHP code examples of bad code.
Exploit examples.
PHP code examples of good code.

Directory Traversal

What it is and what can be done with it.
PHP code examples of bad code.
Exploit examples.
Code example of how to close directory traversals.

Email Injection

What it is and what can be done with it.
PHP code example of bad code.
Exploit examples.
PHP code example of good code.